@dudousxd/adonis-authkit-server 0.3.0 → 0.5.0

package/build/commands/commands.json

@@ -25,6 +25,34 @@
       "args": [],
       "options": {},
       "filePath": "eject.js"
+    },
+    {
+      "commandName": "authkit:doctor",
+      "description": "Valida a configuração do AuthKit no host e imprime achados (✅/⚠️/❌). Sai com código !=0 se houver erros.",
+      "namespace": "authkit",
+      "aliases": [],
+      "flags": [],
+      "args": [],
+      "options": { "startApp": true },
+      "filePath": "doctor.js"
+    },
+    {
+      "commandName": "authkit:rotate-keys",
+      "description": "Rotaciona as chaves de assinatura JWKS managed: gera uma nova chave (novo kid), mantém as N anteriores no JWKS para validar tokens antigos.",
+      "namespace": "authkit",
+      "aliases": [],
+      "flags": [
+        {
+          "name": "keep",
+          "flagName": "keep",
+          "required": false,
+          "type": "number",
+          "description": "Quantas chaves manter no JWKS (default 2)."
+        }
+      ],
+      "args": [],
+      "options": { "startApp": true },
+      "filePath": "rotate_keys.js"
     }
   ]
 }

package/build/commands/doctor.d.ts

@@ -0,0 +1,10 @@
+import { BaseCommand } from '@adonisjs/core/ace';
+import type { CommandOptions } from '@adonisjs/core/types/ace';
+export default class AuthkitDoctor extends BaseCommand {
+    static commandName: string;
+    static description: string;
+    static help: string[];
+    static options: CommandOptions;
+    run(): Promise<void>;
+    private print;
+}

package/build/commands/doctor.js

@@ -0,0 +1,66 @@
+var __rewriteRelativeImportExtension = (this && this.__rewriteRelativeImportExtension) || function (path, preserveJsx) {
+    if (typeof path === "string" && /^\.\.?\//.test(path)) {
+        return path.replace(/\.(tsx)$|((?:\.d)?)((?:\.[^./]+?)?)\.([cm]?)ts$/i, function (m, tsx, d, ext, cm) {
+            return tsx ? preserveJsx ? ".jsx" : ".js" : d && (!ext || !cm) ? m : (d + ext + "." + cm.toLowerCase() + "js");
+        });
+    }
+    return path;
+};
+import { BaseCommand } from '@adonisjs/core/ace';
+import { runAllChecks, hasErrors } from '../src/doctor/checks.js';
+/** Tenta importar um peer; true se importável. */
+async function canImport(specifier) {
+    try {
+        await import(__rewriteRelativeImportExtension(specifier));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export default class AuthkitDoctor extends BaseCommand {
+    static commandName = 'authkit:doctor';
+    static description = 'Valida a configuração do AuthKit no host e imprime achados (✅/⚠️/❌). Sai com código !=0 se houver erros.';
+    static help = [
+        'Roda uma bateria de checagens sobre a config `authkit` do host:',
+        'issuer/mountPath, clients, accountStore + capacidades, session, shield,',
+        'ally (social), rate-limit, admin, webauthn e jwks.',
+    ];
+    static options = { startApp: true };
+    async run() {
+        const config = await this.app.container.make('config');
+        const authkitConfig = config.get('authkit', null) ?? null;
+        const sessionConfig = config.get('session', null) ?? null;
+        const input = {
+            authkitConfig,
+            sessionConfig,
+            peers: {
+                session: await canImport('@adonisjs/session'),
+                shield: await canImport('@adonisjs/shield'),
+                ally: await canImport('@adonisjs/ally'),
+                limiter: await canImport('@adonisjs/limiter'),
+            },
+        };
+        const findings = runAllChecks(input);
+        this.print(findings);
+        if (hasErrors(findings)) {
+            this.exitCode = 1;
+        }
+    }
+    print(findings) {
+        const icon = (l) => (l === 'ok' ? '✅' : l === 'warn' ? '⚠️ ' : '❌');
+        this.logger.info('AuthKit doctor — checagem da configuração do host\n');
+        for (const f of findings) {
+            const line = `${icon(f.level)} ${f.message}`;
+            if (f.level === 'error')
+                this.logger.logError(line);
+            else if (f.level === 'warn')
+                this.logger.warning(line);
+            else
+                this.logger.success(line);
+        }
+        const errors = findings.filter((f) => f.level === 'error').length;
+        const warns = findings.filter((f) => f.level === 'warn').length;
+        this.logger.info(`\nResumo: ${errors} erro(s), ${warns} aviso(s).`);
+    }
+}

package/build/commands/rotate_keys.d.ts

@@ -0,0 +1,10 @@
+import { BaseCommand } from '@adonisjs/core/ace';
+import type { CommandOptions } from '@adonisjs/core/types/ace';
+export default class AuthkitRotateKeys extends BaseCommand {
+    static commandName: string;
+    static description: string;
+    static help: string[];
+    static options: CommandOptions;
+    keep?: number;
+    run(): Promise<void>;
+}

package/build/commands/rotate_keys.js

@@ -0,0 +1,53 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { BaseCommand, flags } from '@adonisjs/core/ace';
+import { rotateKeystore } from '../src/keys/keystore.js';
+export default class AuthkitRotateKeys extends BaseCommand {
+    static commandName = 'authkit:rotate-keys';
+    static description = 'Rotaciona as chaves de assinatura JWKS managed: gera uma nova chave (novo kid), mantém as N anteriores no JWKS para validar tokens antigos.';
+    static help = [
+        'Requer `jwks: { source: "managed", store: "<arquivo>" }` na config authkit.',
+        'A chave nova vira a de assinatura corrente; as `--keep` mais recentes são',
+        'preservadas no JWKS público para que tokens emitidos antes ainda validem.',
+    ];
+    static options = { startApp: true };
+    async run() {
+        const config = await this.app.container.make('config');
+        const authkitConfig = config.get('authkit', null);
+        if (!authkitConfig?.jwks) {
+            this.logger.logError("❌ config('authkit').jwks ausente.");
+            this.exitCode = 1;
+            return;
+        }
+        const { source, store, algorithm } = authkitConfig.jwks;
+        if (source !== 'managed') {
+            this.logger.logError('❌ Rotação só se aplica a jwks.source = "managed".');
+            this.exitCode = 1;
+            return;
+        }
+        if (!store) {
+            this.logger.logError('❌ jwks.store não configurado. A rotação exige um keystore persistido em arquivo ' +
+                '(ex.: jwks: { source: "managed", store: "tmp/authkit_jwks.json" }). ' +
+                'Sem store, o modo managed gera uma chave efêmera por boot e rotacionar não tem efeito.');
+            this.exitCode = 1;
+            return;
+        }
+        const storePath = this.app.makePath(store);
+        const alg = algorithm ?? 'RS256';
+        const keep = this.keep ?? 2;
+        const { newKid, retiredKids, store: result } = await rotateKeystore(storePath, alg, keep);
+        this.logger.success(`✅ Nova chave de assinatura gerada: kid=${newKid} (alg=${alg}).`);
+        this.logger.info(`JWKS agora serve ${result.keys.length} chave(s) (kids: ${result.keys.map((k) => k.kid).join(', ')}).`);
+        if (retiredKids.length) {
+            this.logger.warning(`⚠️  Chaves aposentadas (tokens assinados por elas deixarão de validar): ${retiredKids.join(', ')}`);
+        }
+        this.logger.info('Reinicie o processo (ou recarregue a config) para passar a assinar com a nova chave.');
+    }
+}
+__decorate([
+    flags.number({ description: 'Quantas chaves manter no JWKS (default 2).' })
+], AuthkitRotateKeys.prototype, "keep", void 0);

package/build/host/views/account/email-confirmed.edge

@@ -0,0 +1,15 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('account.email_confirmed.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen flex items-center justify-center bg-gray-100 p-4">
+  <div class="w-full max-w-sm rounded-2xl bg-white p-8 text-center shadow-xl ring-1 ring-black/5">
+    <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+    @if(ok)
+      <h1 class="mt-2 text-xl font-semibold text-emerald-700">{{ t('account.email_confirmed.ok_title') }}</h1>
+      <p class="mt-2 text-sm text-gray-600">{{ t('account.email_confirmed.ok_body') }}</p>
+    @else
+      <h1 class="mt-2 text-xl font-semibold text-red-700">{{ t('account.email_confirmed.invalid_title') }}</h1>
+      <p class="mt-2 text-sm text-gray-600">{{ t('account.email_confirmed.invalid_body') }}</p>
+    @end
+  </div>
+</body></html>

package/build/host/views/account/security.edge

@@ -0,0 +1,83 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('account.security.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen bg-gray-100 p-4">
+  <div class="mx-auto max-w-2xl">
+    <div class="flex items-center justify-between py-6">
+      <div>
+        <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+        <h1 class="text-xl font-semibold text-gray-900">{{ t('account.security.title') }}</h1>
+        @if(email)
+          <p class="mt-1 text-sm text-gray-500">{{ t('account.security.current_email', { email: email }) }}</p>
+        @end
+      </div>
+      <form method="POST" action="/account/logout">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('account.security.logout') }}</button>
+      </form>
+    </div>
+
+    @if(!supported)
+      <div class="rounded-xl bg-white p-6 text-sm text-gray-500 shadow-sm ring-1 ring-black/5">
+        {{ t('account.security.not_supported') }}
+      </div>
+    @else
+      @if(error)
+        <div class="mb-6 rounded-lg border border-red-300 bg-red-50 p-4">
+          <p class="text-sm font-medium text-red-900">{{ error }}</p>
+        </div>
+      @end
+      @if(passwordChanged)
+        <div class="mb-6 rounded-lg border border-emerald-300 bg-emerald-50 p-4">
+          <p class="text-sm font-medium text-emerald-900">{{ passwordChanged }}</p>
+        </div>
+      @end
+      @if(emailChangeRequested)
+        <div class="mb-6 rounded-lg border border-blue-300 bg-blue-50 p-4">
+          <p class="text-sm font-medium text-blue-900">{{ emailChangeRequested }}</p>
+        </div>
+      @end
+
+      <div class="mb-6 rounded-xl bg-white p-6 shadow-sm ring-1 ring-black/5">
+        <h2 class="mb-4 text-sm font-semibold text-gray-900">{{ t('account.security.password_section') }}</h2>
+        <form method="POST" action="/account/security/password" class="space-y-4">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.security.current_password_label') }}</label>
+            <input name="currentPassword" type="password" required
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.security.new_password_label') }}</label>
+            <input name="newPassword" type="password" required minlength="8"
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <button type="submit" class="rounded-lg bg-gray-900 px-4 py-2 text-sm font-semibold text-white">
+            {{ t('account.security.change_password_submit') }}
+          </button>
+        </form>
+      </div>
+
+      <div class="rounded-xl bg-white p-6 shadow-sm ring-1 ring-black/5">
+        <h2 class="mb-1 text-sm font-semibold text-gray-900">{{ t('account.security.email_section') }}</h2>
+        <p class="mb-4 text-xs text-gray-500">{{ t('account.security.email_intro') }}</p>
+        <form method="POST" action="/account/security/email" class="space-y-4">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.security.new_email_label') }}</label>
+            <input name="newEmail" type="email" required
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.security.email_password_label') }}</label>
+            <input name="currentPassword" type="password" required
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <button type="submit" class="rounded-lg bg-gray-900 px-4 py-2 text-sm font-semibold text-white">
+            {{ t('account.security.change_email_submit') }}
+          </button>
+        </form>
+      </div>
+    @end
+  </div>
+</body></html>

package/build/host/views/account/tokens.edge

@@ -8,10 +8,13 @@
         <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
         <h1 class="text-xl font-semibold text-gray-900">{{ t('account.tokens.title') }}</h1>
       </div>
-      <form method="POST" action="/account/logout">
-        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
-        <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('account.tokens.logout') }}</button>
-      </form>
+      <div class="flex items-center gap-4">
+        <a href="/account/security" class="text-sm text-gray-500 hover:underline">{{ t('account.tokens.security') }}</a>
+        <form method="POST" action="/account/logout">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('account.tokens.logout') }}</button>
+        </form>
+      </div>
     </div>
 
     @if(createdToken)

package/build/host/views/admin/sessions.edge

@@ -0,0 +1,89 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('admin.sessions.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen bg-gray-100 p-4">
+  <div class="mx-auto max-w-4xl">
+    <div class="flex items-center justify-between py-6">
+      <div>
+        <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+        <h1 class="text-xl font-semibold text-gray-900">{{ t('admin.sessions.title') }}</h1>
+        @if(email)
+          <p class="mt-1 text-sm text-gray-500">{{ t('admin.sessions.account', { email: email }) }}</p>
+        @end
+      </div>
+      <form method="POST" action="/account/logout">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('admin.nav.logout') }}</button>
+      </form>
+    </div>
+
+    <nav class="mb-6 flex gap-4 text-sm font-medium">
+      <a href="/admin" class="text-gray-500 hover:underline">{{ t('admin.nav.dashboard') }}</a>
+      <a href="/admin/users" class="text-gray-900 underline">{{ t('admin.nav.users') }}</a>
+      <a href="/admin/clients" class="text-gray-500 hover:underline">{{ t('admin.nav.clients') }}</a>
+      <a href="/admin/audit" class="text-gray-500 hover:underline">{{ t('admin.nav.audit') }}</a>
+    </nav>
+
+    <a href="/admin/users" class="mb-4 inline-block text-sm text-gray-500 hover:underline">&larr; {{ t('admin.sessions.back') }}</a>
+
+    @if(!supported)
+      <div class="rounded-xl bg-white p-6 text-sm text-gray-500 shadow-sm ring-1 ring-black/5">
+        {{ t('admin.sessions.not_supported') }}
+      </div>
+    @else
+      @if(revoked)
+        <div class="mb-6 rounded-lg border border-emerald-300 bg-emerald-50 p-4">
+          <p class="text-sm font-medium text-emerald-900">
+            {{ t('admin.sessions.revoked_notice', { sessions: revoked.sessions, grants: revoked.grants, accessTokens: revoked.accessTokens, refreshTokens: revoked.refreshTokens }) }}
+          </p>
+        </div>
+      @end
+
+      <h2 class="mb-2 text-sm font-semibold text-gray-700">{{ t('admin.sessions.sessions_section') }}</h2>
+      <div class="mb-6 overflow-hidden rounded-xl bg-white shadow-sm ring-1 ring-black/5">
+        @if(sessions.length === 0)
+          <p class="p-6 text-sm text-gray-500">{{ t('admin.sessions.sessions_empty') }}</p>
+        @else
+          @each(session in sessions)
+            <div class="border-b border-gray-100 p-4 last:border-0">
+              <p class="text-sm font-medium text-gray-900">{{ session.id }}</p>
+              @if(session.loginTs)
+                <p class="text-xs text-gray-500">{{ t('admin.sessions.session_login_ts', { date: session.loginTs }) }}</p>
+              @end
+              @if(session.amr)
+                <p class="text-xs text-gray-400">{{ t('admin.sessions.session_amr', { amr: session.amr }) }}</p>
+              @end
+            </div>
+          @end
+        @end
+      </div>
+
+      <h2 class="mb-2 text-sm font-semibold text-gray-700">{{ t('admin.sessions.grants_section') }}</h2>
+      <div class="mb-6 overflow-hidden rounded-xl bg-white shadow-sm ring-1 ring-black/5">
+        @if(grants.length === 0)
+          <p class="p-6 text-sm text-gray-500">{{ t('admin.sessions.grants_empty') }}</p>
+        @else
+          @each(grant in grants)
+            <div class="border-b border-gray-100 p-4 last:border-0">
+              <p class="text-sm font-medium text-gray-900">{{ grant.id }}</p>
+              @if(grant.clientId)
+                <p class="text-xs text-gray-500">{{ t('admin.sessions.grant_client', { clientId: grant.clientId }) }}</p>
+              @end
+              <p class="text-xs text-gray-400">{{ t('admin.sessions.grant_tokens', { accessTokens: grant.accessTokens, refreshTokens: grant.refreshTokens }) }}</p>
+            </div>
+          @end
+        @end
+      </div>
+
+      @if(sessions.length > 0 || grants.length > 0)
+        <form method="POST" action="/admin/users/{{ accountId }}/revoke-sessions"
+          onsubmit="return confirm('{{ t('admin.sessions.revoke_confirm') }}')">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <button type="submit" class="rounded-lg bg-red-600 px-4 py-2 text-sm font-semibold text-white hover:opacity-90">
+            {{ t('admin.sessions.revoke_all') }}
+          </button>
+        </form>
+      @end
+    @end
+  </div>
+</body></html>

package/build/host/views/admin/users.edge

@@ -42,6 +42,7 @@
                   <p class="text-xs text-gray-500">{{ user.name }}</p>
                 @end
               </div>
+              <a href="/admin/users/{{ user.id }}/sessions" class="text-sm text-gray-500 hover:underline">{{ t('admin.users.sessions') }}</a>
             </div>
             <form method="POST" action="/admin/users/{{ user.id }}/roles" class="mt-3 flex gap-2">
               <input type="hidden" name="_csrf" value="{{ csrfToken }}">

package/build/host/views/mfa-challenge.edge

@@ -14,20 +14,24 @@
         <p class="mt-4 text-sm text-red-600">{{ error }}</p>
       @end
 
-      <div class="mt-6">
-        <label for="code" class="mb-1 block text-sm font-medium text-gray-700">{{ t('mfa_challenge.code_label') }}</label>
-        <input id="code" name="code" inputmode="numeric" autocomplete="one-time-code"
-          pattern="[0-9]*" maxlength="6" autofocus
-          class="w-full rounded-lg border border-gray-300 px-3 py-2 text-center text-lg tracking-[0.4em] outline-none transition focus:border-gray-900 focus:ring-2 focus:ring-gray-900" />
-      </div>
+      {{-- Step-up sem MFA enrolado: bloqueia o login e instrui a configurar o MFA;
+           não renderiza o campo de código (não há 2º fator a desafiar). --}}
+      @if(!noEnrollment)
+        <div class="mt-6">
+          <label for="code" class="mb-1 block text-sm font-medium text-gray-700">{{ t('mfa_challenge.code_label') }}</label>
+          <input id="code" name="code" inputmode="numeric" autocomplete="one-time-code"
+            pattern="[0-9]*" maxlength="6" autofocus
+            class="w-full rounded-lg border border-gray-300 px-3 py-2 text-center text-lg tracking-[0.4em] outline-none transition focus:border-gray-900 focus:ring-2 focus:ring-gray-900" />
+        </div>
 
-      <button type="submit"
-        class="mt-6 w-full rounded-lg bg-gray-900 py-2.5 text-sm font-semibold text-white transition hover:opacity-90">
-        {{ t('mfa_challenge.submit') }}
-      </button>
+        <button type="submit"
+          class="mt-6 w-full rounded-lg bg-gray-900 py-2.5 text-sm font-semibold text-white transition hover:opacity-90">
+          {{ t('mfa_challenge.submit') }}
+        </button>
+      @end
     </form>
 
-    @if(passkeyAvailable)
+    @if(passkeyAvailable && !noEnrollment)
       {{-- Passkey como alternativa ao código TOTP. O form é submetido por página
            inteira (não fetch) para que o 303 de volta ao client navegue o browser. --}}
       <form id="passkey-form" method="POST" action="/auth/interaction/{{ uid }}/passkey/verify" class="mt-4">
@@ -41,18 +45,20 @@
       <p id="passkey-error" class="mt-3 hidden text-sm text-red-600">{{ t('mfa_challenge.passkey_error') }}</p>
     @end
 
-    <details class="mt-6 text-sm text-gray-600">
-      <summary class="cursor-pointer hover:underline">{{ t('mfa_challenge.recovery_summary') }}</summary>
-      <form method="POST" action="/auth/interaction/{{ uid }}/mfa" class="mt-3">
-        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
-        <input name="recoveryCode" placeholder="xxxxx-xxxxx"
-          class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
-        <button type="submit"
-          class="mt-3 w-full rounded-lg border border-gray-300 py-2.5 text-sm font-semibold text-gray-700 transition hover:bg-gray-50">
-          {{ t('mfa_challenge.recovery_submit') }}
-        </button>
-      </form>
-    </details>
+    @if(!noEnrollment)
+      <details class="mt-6 text-sm text-gray-600">
+        <summary class="cursor-pointer hover:underline">{{ t('mfa_challenge.recovery_summary') }}</summary>
+        <form method="POST" action="/auth/interaction/{{ uid }}/mfa" class="mt-3">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <input name="recoveryCode" placeholder="xxxxx-xxxxx"
+            class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          <button type="submit"
+            class="mt-3 w-full rounded-lg border border-gray-300 py-2.5 text-sm font-semibold text-gray-700 transition hover:bg-gray-50">
+            {{ t('mfa_challenge.recovery_submit') }}
+          </button>
+        </form>
+      </details>
+    @end
   </div>
 
   @if(passkeyAvailable)

package/build/index.d.ts

@@ -10,8 +10,8 @@ export { resolveAdmin, resolveWebauthn, resolveDynamicRegistration } from './src
 export type { WebauthnConfigInput, ResolvedWebauthnConfig } from './src/define_config.js';
 export { lucidAccountStore } from './src/accounts/lucid_account_store.js';
 export type { LucidAccountStoreOptions, AccountSecretEncrypter, } from './src/accounts/lucid_account_store.js';
-export type { AccountStore, CoreAccountStore, AdminCapability, MfaCapability, WebauthnCapability, ProviderIdentityCapability, AuthAccount, CreateAccountInput, LinkProviderIdentityInput, ListAccountsParams, Paginated, PasskeySummary, } from './src/accounts/account_store.js';
-export { supportsMfa, supportsPasskeys, supportsProviderIdentity, } from './src/accounts/account_store.js';
+export type { AccountStore, CoreAccountStore, AdminCapability, MfaCapability, WebauthnCapability, ProviderIdentityCapability, AccountSecurityCapability, AuthAccount, CreateAccountInput, LinkProviderIdentityInput, ListAccountsParams, Paginated, PasskeySummary, } from './src/accounts/account_store.js';
+export { supportsMfa, supportsPasskeys, supportsProviderIdentity, supportsAccountSecurity, } from './src/accounts/account_store.js';
 export { withProviderIdentity } from './src/mixins/with_provider_identity.js';
 export type { ProviderIdentityRow, ProviderIdentityClass, } from './src/mixins/with_provider_identity.js';
 export { withWebauthnCredential } from './src/mixins/with_webauthn_credential.js';
@@ -26,12 +26,13 @@ export { inertiaRenderer } from './src/host/renderers/inertia_renderer.js';
 export { edgeRenderer } from './src/host/renderers/edge_renderer.js';
 export { brandFor, isFirstParty } from './src/host/branding.js';
 export type { BrandingConfig, ClientBrand } from './src/host/branding.js';
-export { resolveMessages, translate, DEFAULT_MESSAGES, DEFAULT_LOCALE } from './src/host/i18n.js';
+export { resolveMessages, translate, DEFAULT_MESSAGES, PT_BR_MESSAGES, BUILTIN_MESSAGES, DEFAULT_LOCALE, } from './src/host/i18n.js';
 export type { I18nConfig, AuthMessages } from './src/host/i18n.js';
 export type { AuthHostRenderer, AuthSocialConfig } from './src/define_config.js';
 export { registerAuthHost } from './src/host/register_auth_host.js';
 export type { AuthHostOptions } from './src/host/register_auth_host.js';
-export { resolveRateLimit } from './src/define_config.js';
+export { resolveRateLimit, resolveNotifications } from './src/define_config.js';
+export type { NotificationsConfigInput, ResolvedNotificationsConfig, } from './src/define_config.js';
 export type { RateLimitConfigInput, RateLimitBucket, ResolvedRateLimitConfig, } from './src/define_config.js';
 export { createAuthThrottles } from './src/host/rate_limit.js';
 export type { AuthThrottles, ThrottleMiddleware } from './src/host/rate_limit.js';

package/build/index.js

@@ -7,7 +7,7 @@ export { OidcService } from './src/provider/oidc_service.js';
 export { registerOidcRoutes } from './src/register_routes.js';
 export { resolveAdmin, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
 export { lucidAccountStore } from './src/accounts/lucid_account_store.js';
-export { supportsMfa, supportsPasskeys, supportsProviderIdentity, } from './src/accounts/account_store.js';
+export { supportsMfa, supportsPasskeys, supportsProviderIdentity, supportsAccountSecurity, } from './src/accounts/account_store.js';
 export { withProviderIdentity } from './src/mixins/with_provider_identity.js';
 export { withWebauthnCredential } from './src/mixins/with_webauthn_credential.js';
 export { lucidPatStore } from './src/pat/lucid_pat_store.js';
@@ -17,9 +17,9 @@ export { withAuditLog } from './src/mixins/with_audit_log.js';
 export { inertiaRenderer } from './src/host/renderers/inertia_renderer.js';
 export { edgeRenderer } from './src/host/renderers/edge_renderer.js';
 export { brandFor, isFirstParty } from './src/host/branding.js';
-export { resolveMessages, translate, DEFAULT_MESSAGES, DEFAULT_LOCALE } from './src/host/i18n.js';
+export { resolveMessages, translate, DEFAULT_MESSAGES, PT_BR_MESSAGES, BUILTIN_MESSAGES, DEFAULT_LOCALE, } from './src/host/i18n.js';
 export { registerAuthHost } from './src/host/register_auth_host.js';
-export { resolveRateLimit } from './src/define_config.js';
+export { resolveRateLimit, resolveNotifications } from './src/define_config.js';
 export { createAuthThrottles } from './src/host/rate_limit.js';
 /**
  * Configure hook + stubsRoot resolvidos pelo `node ace configure @dudousxd/adonis-authkit-server`.

package/build/src/accounts/account_store.d.ts

@@ -83,6 +83,49 @@ export interface AdminCapability {
     /** Substitui as roles globais de uma conta. */
     setGlobalRoles(accountId: string, roles: string[]): Promise<void>;
 }
+/**
+ * Self-service de segurança da conta (console de conta): trocar a senha e o
+ * e-mail (com confirmação no NOVO endereço). É uma CAPACIDADE opcional — stores
+ * sem suporte omitem os métodos e a UI esconde a seção correspondente.
+ *
+ * A troca de e-mail usa um token de confirmação que viaja para o NOVO endereço
+ * ({@link requestEmailChange}) e é consumido por {@link confirmEmailChange}. O
+ * store default (Lucid) reaproveita a coluna `emailVerificationToken` codificando
+ * um payload `ec:<email>:<token>` — assim NÃO exige migração nova (ver
+ * `lucid_store/core.ts`). O tradeoff é que um token de verificação de cadastro e
+ * um de troca de e-mail não coexistem (mesma coluna); na prática são fluxos
+ * distintos no tempo.
+ */
+export interface AccountSecurityCapability {
+    /**
+     * Define uma nova senha para a conta (após o controller confirmar a senha ATUAL
+     * via {@link CoreAccountStore.verifyCredentials}). Retorna false se a conta não
+     * existe.
+     */
+    changePassword(accountId: string, newPassword: string): Promise<boolean>;
+    /**
+     * Inicia a troca de e-mail: gera um token de confirmação para o `newEmail` e o
+     * persiste. Retorna o token + a conta, ou null se a conta não existe OU se o
+     * `newEmail` já pertence a outra conta.
+     */
+    requestEmailChange(accountId: string, newEmail: string): Promise<{
+        token: string;
+        account: AuthAccount;
+        newEmail: string;
+    } | null>;
+    /**
+     * Confirma a troca de e-mail consumindo o token (single-use). Em caso de
+     * sucesso aplica o novo e-mail, marca-o como verificado e limpa o token.
+     * Retorna `{ ok: true, account, newEmail }` ou `{ ok: false }`.
+     */
+    confirmEmailChange(token: string): Promise<{
+        ok: true;
+        account: AuthAccount;
+        newEmail: string;
+    } | {
+        ok: false;
+    }>;
+}
 /**
  * Account linking por identidade de provider (Google, GitHub, …).
  * `(provider, providerUserId)` é a chave estável vinda do provider OAuth — não
@@ -184,10 +227,12 @@ export interface WebauthnCapability {
  * presentes-mas-lançando). Use os type guards {@link supportsMfa},
  * {@link supportsPasskeys}, {@link supportsProviderIdentity} para estreitar.
  */
-export type AccountStore = CoreAccountStore & Partial<MfaCapability & WebauthnCapability & ProviderIdentityCapability>;
+export type AccountStore = CoreAccountStore & Partial<MfaCapability & WebauthnCapability & ProviderIdentityCapability & AccountSecurityCapability>;
 /** Type guard: o store implementa a capacidade de MFA / TOTP. */
 export declare function supportsMfa(store: AccountStore): store is AccountStore & MfaCapability;
 /** Type guard: o store implementa a capacidade de passkeys / WebAuthn. */
 export declare function supportsPasskeys(store: AccountStore): store is AccountStore & WebauthnCapability;
 /** Type guard: o store implementa account linking por identidade de provider. */
 export declare function supportsProviderIdentity(store: AccountStore): store is AccountStore & ProviderIdentityCapability;
+/** Type guard: o store implementa o self-service de segurança (senha/e-mail). */
+export declare function supportsAccountSecurity(store: AccountStore): store is AccountStore & AccountSecurityCapability;

package/build/src/accounts/account_store.js

@@ -10,3 +10,7 @@ export function supportsPasskeys(store) {
 export function supportsProviderIdentity(store) {
     return typeof store.findByProviderIdentity === 'function';
 }
+/** Type guard: o store implementa o self-service de segurança (senha/e-mail). */
+export function supportsAccountSecurity(store) {
+    return typeof store.changePassword === 'function';
+}

package/build/src/accounts/lucid_store/core.d.ts

@@ -1,8 +1,9 @@
-import type { CoreAccountStore } from '../account_store.js';
+import type { AccountSecurityCapability, CoreAccountStore } from '../account_store.js';
 import type { LucidStoreContext } from './shared.js';
 /**
  * Núcleo SEMPRE presente do {@link CoreAccountStore} sobre um model Lucid:
- * identidade, cadastro, reset de senha, verificação de e-mail e administração
- * (listagem paginada + roles globais).
+ * identidade, cadastro, reset de senha, verificação de e-mail, administração
+ * (listagem paginada + roles globais) e o self-service de segurança
+ * ({@link AccountSecurityCapability}: trocar senha/e-mail).
  */
-export declare function buildCore(ctx: LucidStoreContext): CoreAccountStore;
+export declare function buildCore(ctx: LucidStoreContext): CoreAccountStore & AccountSecurityCapability;